Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Service Groups (tcp/udp) for Network Secrurity Group (NSG) for complex services.

      Some time for services to work we need many tcp/udp ports. For example to limit access from DMZ to AD in another subnet we need to create a lot-lot-lot of rules.
      Is it possible to create object with needed tcp/udp ports group and apply this service group to one NSG rule.

      23 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    2. ASG across vNets

      ASG are absolutely wonderful stuff.Would be good to have added features of ASG across subscriptions/Vnets and any possibility of specifying Hostnames

      20 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    3. Allow network security to allow or deny other network security groups

      Amazon Web Services allows a security group to allow or deny other security groups (including itself). This allows you to easily group NICs (VMs) into the same "VLAN", or to allow one "server role" to access another "server role" (for example allow the WAP security group to access the ADFS security group)

      19 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    4. allow KMS traffic in Azure Firewall

      Azure Firewall currently block by default traffic to Azure KMS servers, this should be included in the built-in to not disrupt license validation.

      18 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    5. Add service tags for Azure PowerShell authentication and execution

      When we currently authenticate and execute Azure PowerShell on Azure VM, we have to permit the Internet access on Firewall (e.g. NSG). But most customers want to restrict the Internet access as much as possible. I think it is important for more control and improving network security on Azure VM to add service tags for Azure PowerShell authentication and execution.

      17 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    6. Network Security Group Source Azure Services option

      My scenario include two Virtual Machines acting as Web Servers and a Traffic Manager in-place if the primary node fails I can switch to the other VM that is in a different datacenter. However they are accessible only by specific public IPs and to get Traffic Manager working, I had to create a rule in a different port for ANY.

      Wouldn't be easier to have an option on Source Azure Services, like there is in Azure SQL Server firewall?

      17 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    7. 17 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    8. Allow the Front Door WAF to block/allow by the Socket IP, and not just the Client IP

      Currently, the option to block by IP on the Azure Front Door WAF only allows you to block by the RemoteAddr IP, which is the Client IP. We use a reverse proxy so need the ability to block by what is called the SocketIP in the Azure WAF Logs.

      16 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    9. Provide NSG Tags for PaaS Services

      Provide a way to TAG resoures in NSG - such as Azure Storage, Azure SQL and other PaaS Services or let user define his own custom tags.

      15 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    10. Service Tags for Windows Updates (WU) and RedHat Update Infrastructure (RHUI) suggestion

      I have been using Azure Automation's Update Management for VMs that are internet facing without issue until I am required to use it on VMs that are non-internet facing (intranet) environment where I'm stumble into a lot of NSG configuration complexity.

      Any chance of having these Service Tags?


      • AzurePlatformWU

      For an example having this Service Tag created for NSG in order for consumer to configure Windows VM resources to utilise Azure Automation's Update Management feature, and allow Windows VMs to receive Windows Updates securely.

      The current problem is that Windows Updates can be distributed through multiple Windows Update URL endpoints…

      15 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    11. Redesign default NSG rules to allow only VNET filtering

      When using a hub-spoke model with an Azure Firewall in the hub vnet, we are facing the issue that too much traffic will be allowed by default NSG rules on the hub and spoke vnets.
      (https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke)

      The reason for this is the fact that the virtual network service tag "VirtualNetwork" will contain 0.0.0.0 as soon as we create a UDR 0.0.0.0 that points to the Azure Firewall.
      (https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview)

      The default NSG rule 65000 "AllowVnetInBound" will by now accept source 0.0.0.0 to destination 0.0.0.0.
      The next rule (that we do need), 65001 "AllowAzureLoadBalancerInBound" will never be triggered,…

      15 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    12. Add NSG Rule activity log alert alerts to portal

      Background: Currently, the only way to create a NSG rule activity log alert is through ARM templates. The documentation provided with the Unified Alerts public preview made it ambiguous that NSGs but NOT NSG rules were able to be created in the portal. Otherwise the new Unified Alerts is pretty awesome :)

      Proposed Action: 1) Create an option in the Alerts blade for NSG Rule alerts to be created. 2) Update documentation to be more explicit in differentiating NSGs/NSG rules in activity log alerts.

      14 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    13. have the ability to use more than one asg in an nsg rule (separated with , for example)

      let's say that i have 2 apps that i want to be able to access any endpoint.

      APP A containing these servers:10.0.0.1,10.0.0.2
      and APP B: 10.0.0.4,10.0.05

      my nsg rule will use :10.0.0.1,10.0.0.2,10.0.0.4,10.0.05
      if i`m moving to work with asg i want the ability to add both app a and app b together in the same nsg rule.

      will it be supported?

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    14. Add ability to use a Network Security Group (NSG) as a rule source/target

      Currently NSG rules have the concept of the source or target being a Tag, and there are a couple predefined tags (Internet, VirtualNetwork, and AzureLoadBalancer). It would be nice if there was a similar feature where you could select the source or target being another network security group. Resources would be considered part of a NSG if they have their network interface associated with that NSG, they are in a subnet associated with that NSG, or they are in a VNET associated with that NSG. This essentially creates a subnet that has a dynamic address space.

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    15. NSG Rule

      I have a suggestion for NSG rule configuration, when we have multiple source or destination IP and ports for same type of rule we need to configure rules for individual IP and port. Here the number of rule increases. If it is possible to have option to create ip/net group and port group, it will be easier to configure rules and maintain.

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    16. Ability to group Network Security Groups

      Consider adding some kind of grouping functionality within Network Security Groups. This would make things a lot more simple

      Somekind like this: https://blogs.technet.microsoft.com/isablog/2009/11/25/forefront-tmg-rule-grouping/

      11 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    17. Azure Service Bus and Azure Relay with firewall configuration like Azure Storage to restrict access to VNET and/or IP Ranges

      Azure Service Bus and Azure Relay should provide a mechanism to restrict access to specified IP Ranges (CIDR Blocks) and Specified VNET's just like Azure Storage. This would allow for better security in the event that the SASToken is ever compromised.

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    18. Transparent interception for security appliances

      Allowing a method of transparent interception for network/security appliances to allow them to operate, but still be able to take advantage of configuring new applications completely via ARM.

      e.g. new app has external load balancer, 3 tier of VMs etc. But we could slot an IPS in between Ext Load Balancer and Web tier, or outside ELB etc.. Without having to also configure a Layer 3 policy & NAT on security appliance.

      Ideally have options of both inline, and "SPAN" mode. and be able to attach to Load Balancers, NICs, and where there are tags, eg 'Internet' routes.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →

      Hi Peter, Thanks for the suggestion, Looks like you are looking for a way to be able to get ERSPAN or port mirroring functionality that can be transparently switched on any VM , and if you slot in a IPS/advanced inline processing functionality of your choice that acts a collector to obtain and do what it needs to do, that would do the job, is that right?

    19. Add ability to use source type "IP group" in NSG rules

      A nice new Azure feature is the option to create an "IP group", and it would be nice. if we are able to use these "IP group(s)" in our NSG rules.

      https://docs.microsoft.com/en-us/azure/firewall/ip-groups

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    20. Ability to use Azure tags as source and/or destination in the Azure firewall

      Some NVA vendors are providing this ability already and it is very useful.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base